Thursday, February 2, 2012

Creating Strong Passwords

To create a strong password, you should use a string of text that mixes numbers, letters that are both lowercase and uppercase, and special characters. It should be eight characters, preferably many more. A lot more. The characters should be random, and not follow from words, alphabetically, or from your keyboard layout.

So how do you make such a password?


1) Spell a word backwards. (Example: Turn "New York" into "kroywen.")
2) Use l33t speak: Substitute numbers for certain letters. (Example: Turn "kroywen" into "kr0yw3n.")
3) Randomly throw in some capital letters. (Example: Turn "kr0yw3n" into "Kr0yw3n.")
4) Don't forget the special character. (Example: Turn "Kr0yw3n" into "Kr0yw3^.")

You don't have to go for the obvious and use "0" for "o," or "@" for "a," or "3" for "e," either. As long as your replacement makes sense to you, that's all that matters. A "^" for an "n" makes sense to me.

Other Tips
Choose something simple to remember as a password, but whenever you type it, put your fingers on the wrong keys—maybe one key to the left or right. Then a password like "kroywen" becomes "jeitqwb" or "ltpuerm." This is only going to work for non-perfectionist touch-typists. And skip this tip if you type passwords on your phone; you'll only sprain a thumb trying to be inaccurate instead of letting the inaccuracy flow naturally.

Another option is to pick a pattern on the keyboard and type based on that. For example, a counter-clockwise spin around the letter d could result in "rewsxcvf." Throw in some random caps and numbers to really lock it down.

Perhaps the easiest thing to remember is an acronym from a phrase of your choice. "We didn't start the fire, it was always burning" becomes "wdstfiwab" based on the first letters of each word.

Remember, the longer the password, the stronger it is. Always. Something more than 15 characters is very difficult to remember, but it'll be a breeze with a mnemonic.

Third-Party Passwords
If you don't trust yourself to create an unbreakable password, there are plenty of tools that will make one for you. The PC Tools Secure Password Generator, for example, makes one based on your criteria: how long, include (or don't) mixed case, numbers, punctuation, similar character replacement, etc. It even provides a phonetic pronunciation guide that you use as your mantra while typing the password, for example:


MA7ApUp# is MIKE - ALPHA - seven - ALPHA - papa - UNIFORM - papa – hash

Password Testing
If you're worried that your password of choice isn't strong enough, check it at How Secure is My Password?. The site will even tell you how long the average PC would take to crack it. For example, cracking "kroywen" would take 13 minutes, "kr0yw3n" would take about 2 hours, "Kr0yw3^" 15 days, and "MA7ApUp#" about 3 years.

You can tell from these results that mixing capital and small letters are better for strength and more characters (eight instead of seven) also make a huge difference. Adding a single capital letter to the end of "Kr0yw3^," such as "Kr0yw3nZ," boosts the crack time to 3 years. Throw another special character in ("Kr0yw3^Z!") and it jumps to 237 years.

The Right Advice is Wrong
Some experts will tell you to do a couple of things that go against conventional password wisdom. And the reasons are simple: productivity.

For example, I read a treatise on why you should write down your passwords, especially if you actually go the distance and use a unique string of characters for every log in. The amount of time you could lose trying to remember each password whenever you have to type it in may not be worth it. Just try to keep the list somewhere that's not readily accessible, such as in your wallet. A desk drawer at work is not optimal for keeping out snooping co-workers.

Related advice from a Microsoft researcher says that having multiple passwords is also not worth the effort. Or, more specifically, the indirect costs of the effort of tracking them all. That's right, that big list of passwords I just said to put in your pocket? Maybe it's not worth it.

Of course, all such worries are moot if you follow the advice above and create super-seekrit-strong passwords that you can easily remember.




Inspired by article in PCMAG by Eric Griffith 11/29/11